Page 45 - Privacy_Program
P. 45
PRIVACY INCIDENTS, COMPLAINTS, AND COMPLIANCE [DP180]
Back to Table of Contents
Scope: Enterprise
Distribution: Executive Leadership Team; Privacy and Data Security Office; Services and Programs Staff with access to
Privacy‐ Restricted Participant Information; All Managers and Supervisors
Purpose: To ensure compliance with privacy policies and procedures.
External Regulation or Standard: MGDPA; GAPP Principle 10: Monitoring and Enforcement; 45 C.F.R. §164.530(f) – mitigation; 45
C.F.R. §164.530(i)(j) – changes in policies, procedures, and laws; 45 C.F.R. §164.530(g) ‐ refraining from intimidating or
retaliatory acts
Who is Responsible Statement Policy, Standard, or Procedure Statement
Number
Director of Information DP180.1 The organization will annually review its compliance with privacy policies and
Technology, Privacy and procedures, commitments and applicable laws, regulations, service‐level
Data Security agreements, and other contracts.
Privacy and Data DP180.2 The results of these annual reviews are reported to management.
Security Officer
Executive Team DP180.3 Instances of noncompliance with privacy policies and procedures are
documented and reported and, if needed, corrective measures are taken on a
timely basis.
DP180.4 The organization notifies employees how to report privacy incidents and
Director of
vulnerabilities in a timely manner.
Information
Technology,
Privacy and
Data Security
Director of Information DP180.5 The organization monitors the resolution of reported privacy incidents and
Technology, Privacy and vulnerabilities to ensure appropriate corrective measures are taken on a timely
Data Security basis.
Executive Team DP180.6 The organization mitigates harm caused by the use or disclosure of personal
information in violation of the organization's privacy policies and procedures.
Director of Information DP180.7 The organization records, responds to, and resolves all privacy‐related complaints
Technology, Privacy and in a timely manner.
Data Security
Complainant DP180.8 Any complaint alleging a violation of uses and disclosures of privacy restricted
participant information or other individual rights described in the Goodwill‐
Easter Seals Privacy Notice (and Tennessen Warning) must be in writing. Upon
request, alternative modifications for filing complaints, such as personal
interviews or a tape recording of the complaint will be made available.
DP180.8a The complaint should contain information about the alleged unauthorized use or
disclosure of privacy restricted participant information or other violation of their
individual rights described in the Notice and should include:
• Name and address of complainant
• Telephone number of complainant
• Alternative means of contact
• Location, date and description of the violation
GES CONFIDENTIAL 41
